vSphere & NSX: Active Directory over LDAPs authentication

Share this:

As you might aware VMware announced deprecation of the Integrated Windows Authentication in a future release of vSphere KB. So we had a task for our customers to switch to AD over LDAP authentication. I’ve prepared this manual and want to share it with you to save your time on discovery and testing the procedure.

I’m going to use secure LDAP connection (LDAPs) to AD. To achieve it you need AD domain controllers certificates. Lets use self issued certificates.

Following steps are done on first AD domain controller:

  1. Create domain user with default permissions, for example ldapsauth@the.lab (domain name can be different, depends on your setup)
  2. Open “Add roles and features” and add role
  1. Configure Certification Authority

Replace CN and DN with your specific parameters

Change validity to 10 years

  1. Reboot host if necessary
  2. Open MMC, add Certificates Snap-in
  1. You should see certificate issued

Note: Do not forget the certificate is issued for 365 days. You need to update certificate and upload it to vCenter & NSX Manager each year.

  1. Run “ldp” in PowerShell Admin mode
  2. Type in name of your AD DC, port 636, SSL enabled

Click “OK” to connect

  1. You should get response similar to the following

If you can’t get similar response, you need to troubleshoot and not to continue with the next steps until fixed.

  1. Run MMC, open Certificates and export issued certificate

  1. Now you need to request certificate on second AD controller

Open certlm.msc or MMC->Certificates on second AD domain controller

  1. Export certificate from second AD controller

  1. Configure vCenter to use LDAPS connection to AD

Open vSphere client, Administration -> Single Sign On -> Configuration -> Identity Provider -> Identity Sources,

Click ADD

Fill in all information required.
You might want to use whole Domain to search for Users and Groups, in this case define root “DC=the,DC=lab” as Base distinguished name for users and groups.
Type in Username and password for the AD user you created on the 1. Step of this instructions manual.
Specify domain controllers URLs, like “ldaps://ad01.the.lab:636” and “ldaps://ad02.the.lab:636”
Upload SSL certificates you exported on previous steps for both AD controllers.

  1. You should see new LDAPS identity source
  1. Configure NSX Manager to use LDAPS connection to AD

Open NSX Manager -> System -> Users and Roles -> LDAP
Click “Add Identity Source”

  1. Fill in:

Name – name of the connection, for example “LDAPS to the.lab”
Domain Name – for example “the.lab”
Type – “Active Directory over LDAP”
Base DN – specific for your AD, for example “DC=the,DC=lab”
Description – optional
Click “Set” for LDAP Servers

Click “Add LDAP Server” and provide
Hostname/IP – Name/IP of AD DC,
LDAP Protocol – “LDAPS”,
Port – 636,
Bind Identity – user account in AD which is used for authentication (at least RO permissions in AD),
Password,
Click “Check Status” and “Apply”

  1. Finally you should see Identity source configured and tested
  1. Switch to “User Role Assignment”

Click “Add”

  1. Choose “Role Assignment for LDAP”
  1. Select your Search Domain (you named it earlier), Search AD for user/group, set Roles and Save
  1. You should see your User/Group added to the list
  1. All done, you are ready to test your AD authentication over LDAPS!

Next steps are required if certificate re-issued (after 365 days for example).

  1. Open MMC, add Certificates Snap-in

Go to Certificates -> Personal -> Certificates
Check new certificate (should have the same name as original but new issue date and valid to date)

Follow the same steps to export certificate

  1. Upload re-issued certificates to vCenter LDAP configuration

Open vCenter UI
Go to Administration -> Single Sign On -> Configuration -> Identity Provider -> Identity Sources

It’s not possible to upload re-issued certificates to vCenter LDAP configuration, you need to store your configuration to text file, remove LDAP config and create new with the same parameters and fresh re-issued certificates as in previous steps.
Note: Ensure you have password for AD service account used for LDAP authentication (in my case ldapsauth@the.lab).

Click “Add” and you are done!

The following two tabs change content below.

Yevgeniy Steblyanko

Yevgeniy Steblyanko is an Infrastructure Architect/SME with experience in virtualization area for more than 15 years. His areas of interest are VMware vSphere, vSAN, NSX, automation on PowerCLI/PowerNSX. He has VMware certifications: VCIX-DCV, VCIX-NV.

About Yevgeniy Steblyanko

Yevgeniy Steblyanko is an Infrastructure Architect/SME with experience in virtualization area for more than 15 years. His areas of interest are VMware vSphere, vSAN, NSX, automation on PowerCLI/PowerNSX. He has VMware certifications: VCIX-DCV, VCIX-NV.
Bookmark the permalink.

One Comment

  1. You can use only root CA cert, which you will renew every 10yrs in your vcenter’s truststore, no need to hassle with rest 😉

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.